Information security: The route to compliance

The security area gets more than its share of red tape. So how do you chart a chourse that meets regulations without getting strangled?

Complying with government and industry regulations is a major concern for IT managers across the board. But few areas of IT get to see as much red tape as security.

IT managers are now bound by law to store, backup, encrypt, secure and protect their confidential data, and demonstrate that they are doing this satisfactorily.

Many organisations in the public sector and the regulated industries, such as utilities and legal or financial services, have to demonstrate an information security policy that proves they have a range of steps and measures in place. If these policies are not adhered to, the regulators reserve the right to prosecute.

This happened in February this year, when the Financial Services Authority (FSA) fined Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information security risks.

The failings came to light following the theft of a laptop from a Nationwide employee's home last year. This urged the FSA to carry out an investigation, during which it found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.

Margaret Cole, director of enforcement at the FSA, said, "Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be, and as technology evolves firms must keep their systems and controls up-to-date to prevent lapses in security.

The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security."

Afterwards, Nationwide took several measures, including commissioning a comprehensive review of its information security procedures and controls, and increasing security around its accounts.

There are other regulators besides the FSA that require sensitive data to be secured, for example for the pharmaceutical and legal industries, and more recently the retail sector.

The latter has a new security requirement, the PCI Data Security Standard, to ensure that member organisations secure their online transactions and data.

It is based on an initiative by the Payment Card Industry (PCI), driven by MasterCard, Visa and others, to lock down customer data through ensuring that any company that handles credit card payments keeps a tight reign on security.

The PCI requirements look at the fundamentals of IT security, such as making sure that firewalls are only passing traffic on accepted and approved ports, that servers are only running the services that need to be live, or that databases are not configured with supplier defaults, said Diane Kelly, vice-president and service director at Burton Group.

"There is no other regulatory or industry compliance requirement that is quite this granular. PCI is unique, but the data you collect in a PCI compliance scan can be useful in meeting many other kinds of audit and assessment requirements - an ISO 27001 certification or a Sarbanes-Oxley audit, for instance," she said.

"You will be looking at many of the same things. After all, most compliance comes down to things like whether your firewall is correctly configured."

One international standard for security compliance that can be applied across industries is the International Standards Organisation's ISO 17799, known as ISO 27001 in Europe.

This is a formal process that helps an organisation demonstrate that it has a high level of IT security management. It covers 10 major areas, including business continuity planning, physical and environmental security, compliance, personnel security, asset control and security policy.

One organisation that is working towards ISO 27001 is international law firm Norton Rose, which believes that ISO security accreditation will differentiate its from its competitors.

ISO accreditation carries stringent tests for client data and employee security, said Malcolm Todd, head of systems delivery at Norton Rose. He added that the firm is using a range of software products from Attachmate division NetIQ to help achieve ISO security accreditation.

Todd explained that Norton Rose will go through a certification process when it is ready, then face regular audits every six months to a set framework. These checks could cover anything from e-mail tracking to risk analysis, and any staff member can be interviewed about the firm's security policy.

In addition, organisations must adhere to the UK Data Protection Act 1998 if they hold information on members of the public. The act contains eight principles of data protection, including that all data is accurate and, where necessary, kept up to date, that data be kept for no longer than necessary, that it is kept secure, and that it is transferred only to countries that offer adequate data protection.

Then there is the US Sarbanes-Oxley Act of 2002, which affects any UK company that is listed on the US stock exchange. The act requires strict internal controls and independent auditing of financial information to defend proactively against fraud. This carries potentially serious civil and criminal penalties for non-compliance.

As with many of the industry security regulations, software products are available that can help organisations to audit, test and document their security processes.

One supplier that sells a specific on-demand PCI compliance service is Qualys, with Qualysguard PCI. This is a subset of the supplier's Qualysguard on-demand offering that is used by BAA, Novartis and Travelodge to meet compliance requirements.

Another security compliance tool is available from Tier-3, whose Huntsman product carries out enterprise-wide threat management and real-time compliance and operational risk management capabilities.

It works by detecting any non-compliant behaviour, establishing an audit trail, reconstructing any security breach event and carrying out forensic analysis. It also has the ability to enforce the security policy.

Other point systems are available from suppliers such as Computer Associates and IBM.

Andy Kellett, senior research analyst at Butler Group, said, "There is an ever growing raft of regulatory rules and hoops to jump through, depending on the business the organisation is in, and some of them cut across the business.

"For example, if you are in the financial services sector you have to properly comply with the FSA regulations and maybe Basal 2, and if you are a retailer, you may also be responsible for financial data," he said.

"So many security breaches take place, and reality tells us that the average organisation has so many different systems and infrastructures that it needs to protect, that nothing is ever going to be 100% secure."

Kellett said that the starting point for any compliance exercise is to carry out a full audit to understand what information the business holds, what its vulnerabilities are and what elements of the IT systems can be locked down. These include databases, information storage systems and business applications, which could put customers and the business itself at risk.

Following this it is essential to publish a security policy and inform everyone who works in the organisation about what is and is not allowed, said Kellett.

The organisation can automate much of the security activity. So, for example, if the user acts in an insecure way, they could receive an e-mail saying they have been doing something that is not in line with policy, or the system may automatically encrypt a file or lock down the user's file access.

"You tend to end up looking at products that do the monitoring, alerting and protecting of information," Kellett said.

This could include managing and locking down the file access rights of individual users, ensuring that particular attachments cannot be sent from e-mails, or even using biometric login systems to secure workers.

At the higher end of the security scale, the organisation could use a military-grade system like Clearswift's Bastion, said Kellett. This can isolate an IT system so that it only interacts with a few other systems that are authorised to do so.

"Clearswift found that the military systems used by the Pentagon were very secure, and that some private firms, financial services and pharmaceutical companies which want to keep their patented medicines properly protected, might benefit from a system where communication could be locked down," said Kellett.

However, he added that this level of security may not be for everyone.

Clearswift Bastion website >>

Financial Services Authority website >>

Norton Rose website >>

Qualys website >>

Tier-3 website >>

Case study: Novartis harmonises global compliance

Andreas Wuchner, head of IT security architecture and strategy for pharmaceuticals firm Novartis, said that industry regulations are becoming increasingly complex and stringent.

“It is a highly regulated industry with external requirements like the Food and Drug Administration and local laws. In Italy, you can go to jail for not having an eight-character password. Things that are okay here are not okay in the US. Things you can get away with in the US you cannot in Germany.

“The biggest challenge is harmonising your compliance around the world. We have to put in an incredible amount of effort for different laws and requirements,” said Wuchner.

For four years, the firm has been using global IT application Qualysguard from Qualys, to check its network and applications, databases, and operating systems’ security compliance at all levels across the globe.

Qualysguard has enabled Novartis to put together a global, high-priority
top-20 list of security concerns, which gives it a traffic-light alert system for its different IT systems, as well as its outsourcing partners.

Prior to Qualysguard, Novartis used two point systems.

Novartis website >>

Nationwide laptop theft offers data safety lessons >>

Compliance drives security spending >>

Banks dumped customer data in outside bins >>

Information security special report: Implementing converged security >>

Information security special report: Who should be liable for security? >>

Comment on this article: e-mail computer.weekly@rbi.co.uk